Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0497: Analytic 0497

Detection of anomalous ROMMON image changes or upgrades, unexpected reboots following firmware updates, and unauthorized use of firmware upgrade commands or TFTP transfers. Correlation of config modification, privilege escalation, and boot cycle anomalies provides visibility into ROMMON tampering attempts.

EnterpriseAN0497AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because ROMMON or firmware tampering on network devices can undermine the infrastructure that keeps sites, cloud connectivity, and business services reachable. The ATT&CK object focuses on anomalous ROMMON image changes or upgrades, unexpected reboots after firmware updates, and unauthorized firmware upgrade commands or TFTP transfers. For leaders, the practical question is whether network device firmware changes are governed, logged, and reviewable enough to distinguish planned maintenance from a potentially unauthorized boot-level change.

Executive priority

Prioritize this where network devices are critical to business continuity or segmented operational environments. The decision value is auditability and response readiness: confirm who can authorize firmware or ROMMON changes, what evidence proves a change was approved, and whether SOC/IR teams can quickly correlate configuration modification, privilege escalation, transfer activity, and reboot anomalies during an incident.

Technical view

For SOC, detection engineering, and IR teams, validate visibility on network-device firmware and ROMMON change events, firmware upgrade commands, TFTP transfer activity, configuration modifications, privilege changes, and boot or reboot events. Because no tactic or formal detection logic is supplied, this should be treated as a detection validation theme rather than a ready-to-deploy rule. Correlation is central: a firmware-related command or transfer is more material when paired with privilege escalation, configuration change, or an unexpected boot cycle outside an approved maintenance window.

Likely telemetry

  • Network device command accounting or administrative session logs
  • Configuration change logs from network devices or management platforms
  • Firmware, ROMMON, or image upgrade event records where available
  • TFTP transfer logs or network flow records involving device management paths
  • Device reboot, boot cycle, and uptime telemetry

Detection direction

  • Baseline expected firmware and ROMMON upgrade activity by device class and maintenance window.
  • Correlate firmware upgrade commands, TFTP transfers, config modification, privilege escalation, and reboot anomalies rather than alerting on a single event in isolation.
  • Tune for authorized maintenance to reduce false positives, while requiring evidence of approval for any firmware-related change.
  • Validate whether network devices actually emit the required logs and whether those logs are centralized before relying on this analytic.
  • Pay special attention to blind spots around legacy devices, local console changes, incomplete command accounting, and unmanaged TFTP activity.

Mitigation priorities

  • Restrict firmware and ROMMON upgrade privileges to authorized administrative roles.
  • Require formal change approval and maintenance-window tracking for firmware and boot image changes.
  • Centralize network device administrative, configuration, transfer, and reboot telemetry for SOC and IR use.
  • Control and monitor TFTP or equivalent file-transfer paths used for firmware movement.
  • Maintain device inventory, expected firmware baselines, and recovery procedures so unauthorized changes can be assessed and reversed.
Analyst notes and limits

The supplied object is a detection analytic for Network Devices and describes correlation of ROMMON image changes, firmware update behavior, TFTP transfers, configuration modification, privilege escalation, and boot cycle anomalies. No ATT&CK tactic, relationship context, or official detection logic was supplied, so local engineering must define exact event sources, thresholds, and approval data joins.

This take is limited to the official STIX fields, external reference, and absence of relationships provided. It does not establish active exploitation, adversary attribution, impact, or existing detection coverage. Applicability depends on the organization’s network device models, logging capabilities, administrative controls, and change-management evidence.

Official MITRE ATT&CK definition

Analytic 0497

Detection of anomalous ROMMON image changes or upgrades, unexpected reboots following firmware updates, and unauthorized use of firmware upgrade commands or TFTP transfers. Correlation of config modification, privilege escalation, and boot cycle anomalies provides visibility into ROMMON tampering attempts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
38a36673012cd1df...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 38a36673012c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0497
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use